Download:
pdf |
pdfSupplemental Supporting Statement for Final Rule
Amendments to the Children’s Online Privacy Protection Rule,
16 CFR Part 312
(OMB Control # 3084-0117)
Overview
The current Children’s Online Privacy Protection Rule, 16 CFR Part 312 (“COPPA Rule”
or “Rule”), contains recordkeeping, disclosure, and reporting requirements that constitute
“information collection requirements” as defined by 5 CFR 1320.3(c) under the Office of
Management and Budget (“OMB”) regulations that implement the Paperwork Reduction Act
(“PRA”). OMB has approved the Rule’s existing information collection requirements through
April 30, 2028 (OMB Control No. 3084-0117).
The Federal Trade Commission (“FTC” or “Commission”) is finalizing amendments to
the COPPA Rule that will increase disclosure obligations for covered operators of websites and
online services and FTC-approved COPPA Safe Harbor programs. Additionally, FTC-approved
COPPA Safe Harbor programs will face additional reporting obligations under the amended
Rule. The amended Rule adopts the disclosure and reporting requirements proposed in the
Notice of Proposed Rulemaking (“NPRM”) that the Commission issued as part of this
rulemaking in 2024,1 minus those related to the proposed school authorization exception and the
proposed requirement that operators who use the support for the internal operations exception to
the Rule’s verifiable parental consent requirement disclose the means they use to ensure they do
not use or disclose persistent identifiers to encourage or prompt use of a website or online
service.
Upon publication of the NPRM, the Commission submitted an associated clearance
request with a Supporting Statement to OMB. In response, OMB filed a comment, requesting
that the Commission resubmit the clearance request upon finalizing the proposed amendments.
Accordingly, the Commission is submitting the amended Rule and this Supplemental Supporting
Statement to OMB for review under the PRA.
(1) & (2)
Necessity for and Use of the Information Collected
The Children’s Online Privacy Protection Act (“COPPA” or “Act”), 15 U.S.C. 6501 et
seq., prohibits unfair and deceptive acts and practices in connection with the collection of
personal information from children online and the use and disclosure of such information. The
COPPA Rule, 16 CFR part 312, implements this prohibition by requiring commercial websites
to, among other things, provide notice and obtain parental consent before collecting, using, or
disclosing personal information from children under age thirteen, with limited exceptions.
On July 25, 2019, the FTC announced that it was undertaking a review of the Rule,
noting that questions had arisen about the Rule’s application to the educational technology sector,
voice-enabled connected devices, and general audience platforms that host third-party child1
89 FR 2034 (Jan. 11, 2024).
�directed content. The Commission sought public comment on these and other issues, including
specific questions about the Rule’s provisions and the 2013 amendments of the Rule. In
response, the Commission received over 175,000 comments from various stakeholders, including
industry representatives, video content creators, consumer advocacy groups, academics,
technologists, Safe Harbor programs, members of Congress, and individual members of the
public.
Following consideration of the submitted public comments, viewpoints expressed during
a FTC-hosted public workshop on the COPPA Rule in October 2019, and the Commission’s
experience enforcing the Rule, the Commission proposed a number of changes to the Rule to
help ensure the Rule remains relevant to changing technology and business practices. After
notice and comment, the Commission amends the Rule, including by adopting the following
disclosure and reporting requirements proposed in the NPRM:
•
A new requirement that operators establish, implement, maintain, and disclose a data
retention policy.
•
Various new disclosure requirements on operators already subject to the Rule.
Specifically, these operators are required to update existing disclosures, namely, to update
the direct and online notices with additional information about the operators’ information
practices. Also, the operators utilizing the support for the internal operations exception,
16 CFR 312.5(c)(7), are required to provide an online notice. Additionally, operators are
required to disclose a data retention policy.
•
Each FTC-approved COPPA Safe Harbor program is required to provide a list of all
current subject operators and their certified websites and services on each of the FTCapproved COPPA Safe Harbor program’s websites and online services, and to update
such list every six months thereafter.
•
FTC-approved COPPA Safe Harbor programs are required to include additional content
in their annual reports and to submit a report to the Commission every three years
detailing the programs’ technological capabilities and mechanisms for assessing subject
operators’ fitness for membership in the programs.
The amendments are expected to promote transparency, enhance parents’ ability to make
informed decisions about whether to consent to the collection of their children’s personal
information, and strengthen oversight over operators’ and FTC-approved COPPA Safe Harbor
programs’ practices.
(3)
Consideration of the Use of Information Technology to Reduce Burden
The amendments permit the use of any technologies that covered firms may wish to
employ and that may reduce the burden of information collection, consistent with the aims of the
Government Paperwork Elimination Act, 44 U.S.C. 3504 note. The Commission has taken care
2
�in developing the amendments to set performance standards that will establish the objective
results that must be achieved by regulated entities, but do not mandate a particular technology
that must be employed in achieving these objectives. For example, § 312.5(b)(1) of the amended
Rule maintains the standard that requires operators to “make reasonable efforts to obtain
verifiable parental consent, taking into consideration available technology” when designing
consent mechanisms. Amended § 312.5(b)(2) adds to the existing non-exhaustive list of
acceptable methods for obtaining consent two methods that include technologies the Commission
has approved since the Commission last revised the COPPA Rule in 2013 and a “text plus”
consent method that the Commission added in response to public comments related to the
NPRM’s proposal to add to the Rule’s definition of “online contact information” “a mobile
telephone number provided the operator uses it only to send a text message.”. In addition, the
amendments to § 312.8 require operators to establish, implement, and maintain a written
children’s information security program. Rather than specifying particular technical or other
safeguards that operators must include in their information security programs, the amendments
require operators to include safeguards that are appropriate to the sensitivity of the personal
information collected from children and the operators’ size, complexity, nature and scope of
activities, and internal and external risks to the confidentiality, security, and integrity of personal
information collected from children as identified through risk assessments.
(4)
Efforts to Identify Duplication
The Commission has not identified any other federal statutes, rules, or policies that would
duplicate, overlap, or conflict with the amended Rule.
(5)
Efforts to Minimize Burden on Small Organizations
In drafting the amendments, the Commission has made every effort to avoid unduly
burdensome requirements for entities, including small entities. The Commission believes that
the amendments are necessary to continue to protect children’s online privacy in accordance with
the purposes of COPPA. For each of the amendments, the Commission has attempted to tailor
the provision to any concerns evidenced by the record. On balance, the Commission believes
that the benefits to children and their parents outweigh any potential increased costs of
implementation to industry.
For example, while the Commission has amended § 312.8 of the Rule to provide
additional clarity as to steps operators can take to comply with § 312.8’s “reasonable procedures”
standard for protecting the confidentiality, security, and integrity of personal information
collected from children, as discussed above, the Commission has generally avoided specifying
particular technical or other safeguards that operators must include in their information security
programs. The amended Rule will enable operators to implement safeguards that are appropriate
to the sensitivity of the personal information collected from children; the operators’ size,
complexity, nature and scope of activities; and the internal and external risks to the
confidentiality, security, and integrity of the personal information collected from children as
identified through risk assessments.
3
�The Commission took care in developing the amendments to set performance standards
that establish the objective results that regulated entities must achieve but do not mandate the
employment of particular technologies to achieve these objectives. In sum, the agency has
worked to minimize any significant economic impact on small businesses.
(6)
Consequences of Conducting the Collection Less Frequently
Less frequent disclosures would violate the express statutory language and intent of
COPPA. The Act requires both that notice be given online and that notice regarding the
operator’s information practices be given to parents upon request. Parental notice under the Rule
works in tandem with COPPA’s mandated parental consent requirement. Thus, the Rule does not
require notices any more frequently than necessary for operators to comply with the Act and to
enable parents to make an informed decision about an operator’s collection, maintenance, use, or
disclosure of their children’s personal information. While the amendments include additional
content requirements for such notices, they do not require more frequent disclosures than what is
required by statute.
(7)
Circumstances Requiring Collection Inconsistent With Guidelines
The changes to the collection of information are consistent with all applicable guidelines
contained in 5 CFR 1320.5(d)(2).
(8)
Public Comments/Consultation Outside the Agency
Since the Rule was first enacted in 2000, the Commission has, on an ongoing basis,
engaged with the affected public through informal and formal consultations. Among other
actions, this includes various Notices of Proposed Rulemaking issued in 20012 and 2005,3 and
rule reviews initiated in 20104 and 2019.5 Separately, the Commission has also sought public
comments every three years as part of the required process to receive renewed clearance for PRA
information collections.
In the instant context, in accordance with 5 CFR 1320.8(d), the Commission issued an
NPRM on January 11, 2024, setting forth proposed amendments to the Rule and requesting public
comments. See 89 FR 2034 (Jan. 11, 2024). In response, the Commission received 279 unique
comments from various interested parties including industry groups, consumer groups, and
individual consumers.6
2
66 FR 54963 (Oct. 31, 2001).
70 FR 2580 (Jan. 14, 2005).
4
75 FR 17089 (Apr. 5, 2010).
5
84 FR 35842 (July 25, 2019).
6
The 279 relevant public comments can be found at Regulations.gov. See FTC Seek Comments on the Children's
Online Privacy Protection Rule; COPPA Rule Review, Project No. P195404, https://www.regulations.gov/docket/FTC2024-0003.
3
4
�The Interactive Advertising Bureau (“IAB”) in its comment7 raised Paperwork Reduction
Act issues with respect to the requirement that operators develop a written security program, and
asked that the Commission clarify “that a generally applicable comprehensive data security
program will be in compliance with the proposed requirement if it addresses the sensitivity of
personal information, including information collected from children.”8 The Commission made a
change in the amended Rule to make clear that an operator is not required to implement
requirements specifically to protect the confidentiality, security, and integrity of personal
information collected from children if the operator has established, implemented, and maintained
an information security program that applies both to children’s personal information and other
information and otherwise meets the requirements the Commission had proposed in § 312.8 in the
2024 NPRM.
The IAB also asked that the FTC:
mitigate the burden to operators the written data retention policy requirement
proposed in the NPRM in § 312.10 would impose by clarifying that a general
description of the purposes for which personal information is collected and a
general statement of the operator’s retention timeframes suffices to satisfy the
requirement;
clarify that an existing data retention policy can serve as a “written children’s data
retention policy” for purposes of the proposed requirement, so long as it satisfies all
of the requirements described in the Rule and extends to children’s personal
information; and
ensure that the amended Rule not adopt the proposed requirement that operators
state the “business need for retaining” personal information, which the IAB
deemed “redundant with the required statement of purpose.”9
The Commission revised the NPRM proposal so that the amended Rule makes clearer that it will
not require an operator to establish, implement, and maintain a separate written children’s data
retention policy if the operator has established, implemented, and maintained a written data
retention policy that encompasses children’s personal information and meets the requirements the
Commission proposed in § 312.10 of the NPRM.
(9)
Payments and Gifts to Respondents
Not applicable.
7
Interactive Advertising Bureau (“IAB”) Cmt., https://www.regulations.gov/comment/FTC-2024-0003-0256 (Mar.
11, 2024).
8
IAB Cmt., at 23-24.
9
IAB Cmt., at 21-22
5
�(10)
Assurances of Confidentiality
Except for the current and amended Safe Harbor program reporting requirements, the
Rule’s requirements that regulated entities disclose and/or maintain records do not require the
submission of any such records to the agency. Thus, to the extent, if any, that the agency may
require production of such records for law enforcement purposes in specific proceedings, such
production would not constitute an information collection activity within the meaning of the
Paperwork Reduction Act. In any event, in such proceedings, records would be protected by law
from mandatory public disclosure.10 Report submissions associated with the Safe Harbor
program requirements are afforded protections that are associated with the designation of
confidentiality for their submissions as set forth in the FTC Act.11
(11)
Matters of a Sensitive Nature
Except for the proposed and current Safe Harbor program reporting requirements, the
Rule does not require the disclosure or production of sensitive or confidential information to the
Commission. To the extent that confidential information covered by a recordkeeping
requirement is collected by the Commission for law enforcement purposes, the confidentiality
provisions of Section 21 of the FTC Act, 15 U.S.C. 57b-2, will apply. Report submissions
associated with the Safe Harbor program requirements are afforded protections associated with
the designation of confidentiality for their submissions as set forth in the FTC Act.12
(12)
Estimated Annual Hours and Labor Cost Burden
Estimated Additional Annual Hours Burden: 145,961 (derived from 145,590 + 371).
A. Number of Respondents
As noted in the Regulatory Flexibility Section of the NPRM, Commission staff estimates
that there are currently approximately 6,140 operators subject to the Rule. FTC staff does not
believe that the amendments to the Rule’s definitions will affect the number of operators subject
to the Rule. For example, FTC staff believes that all or nearly all operators of websites or online
services that collect “biometric identifiers” from children are already subject to the Rule. In
total, to the extent that any of the Commission’s amendments to the Rule’s definitions might
result in minor additional numbers of operators being subject to the Rule, FTC staff believes that
any such increase will be offset by other operators of websites or online services adjusting their
information collection practices so that they will not be subject to the Rule.
10
Exemption 7(A) of the Freedom of Information Act, 5 U.S.C. 552(b)(7)(A), would apply to withhold information
from pending or active investigations where disclosure is reasonably expected to cause articulable harm.
11
See, e.g., Section 21(c) of the FTC Act, 15 U.S.C. 57b-2(c).
12
Id.
6
�For this burden analysis, the Commission staff has updated its recently published estimate
of new operators per year to a new estimate of 430 new operators per year.13 Commission staff
also retains its estimate that no more than one additional COPPA Safe Harbor program applicant
is likely to submit a successful request within the next three years of PRA clearance.
B. Recordkeeping Hours
Commission staff does not expect that the Rule amendments will increase operators’
recordkeeping obligations. With respect to the FTC-approved COPPA Safe Harbor programs,
similarly, the Commission has not revised the recordkeeping requirement applicable to those
programs under § 312.11(d)(3).
C. Disclosure Hours: 145,590 (derived from 4,300 + 141,220 + 70).
1. New Operators’ Disclosure Burden: 4,300.
FTC staff estimates that the Rule affects approximately 430 new operators per year. The
amended Rule includes a new requirement that operators establish, implement, maintain, and
disclose a data retention policy. Staff estimates it will require, on average, approximately 10
hours per new operator to meet the data retention policy requirement. This yields an estimated
annual hours burden of 4,300 hours (430 respondents × 10 hours).14
2. Existing Operators’ Disclosure Burden: 141,220.
The amended Rule imposes various new disclosure requirements on operators that will
require them to update the direct and online notices that they previously provided. Specifically,
the amendments require operators to update the direct and online notices with additional
information about the operators’ information practices. Additionally, the amended Rule requires
operators to disclose a data retention policy. Finally, the amended Rule will now require
operators utilizing the support for the internal operations exception, 16 CFR 312.5(c)(7), to
provide an online notice.15
13
The average growth rate from 2013 through 2021 for Software Publishing and Other Information Services (which
includes Internet publishing) was 7.4%. See https://www.census.gov/programs-surveys/susb/data/tables.html.
Multiplying this rate by the estimated number of existing operators, 5,710, gives an estimate of approximately 430
new operators per year on a going forward basis. This new estimate is different from the previously published
estimate of 280 new operators per year in the 2024 NPRM as it uses a different, more up-to-date data source. See
2024 NPRM, 89 FR 2034 at 2065 n.354.
14
The Commission has pre-existing PRA approval for its longstanding estimate that new operators of websites and
online services will require, on average, approximately 60 hours to draft a privacy policy, design mechanisms to
provide the required online privacy notice and, where applicable, provide the direct notice to parents. The proposed
amendments would add 10 hours to this disclosure estimate for new operators.
15
Previous burden estimates have not distinguished between the burden on this subset of operators who had no
disclosure obligations under the Rule and the burden on operators who were required to provide both a direct and an
online notice – the analysis assumed that this subset of operators had the same, higher burden. This analysis takes
the same approach in assuming that operators who now have to provide an online notice will have the same burden,
7
�FTC staff believes that an existing operator’s time to make these changes to its online and
direct notices for the first time would be no more than that estimated for a new entrant to craft an
online notice and direct notice for the first time, i.e., 60 hours.16 FTC staff believes the time
necessary to develop, draft, and publish a data retention policy is approximately 10 hours.
Therefore, these disclosure requirements will amount to a one-time burden of approximately 70
hours. Annualized over three years of PRA clearance, this amounts to approximately 23 hours
(70 hours ÷ 3 years) per operator each year. Aggregated for the 6,140 existing operators, the
annualized disclosure burden for these requirements would be approximately 141,220 hours per
year (6,140 respondents × 23 hours).
3. Safe Harbor Program Disclosure Burden: 70.
The amended Rule will also require each FTC-approved COPPA Safe Harbor program to
provide a list of all current subject operators on each of the FTC-approved COPPA Safe Harbor
program’s websites and online services, and the amended Rule further requires that such list be
updated every six months thereafter. Because FTC-approved COPPA Safe Harbor programs
likely already keep up-to-date lists of their subject operators, Commission staff does not
anticipate this requirement will significantly burden FTC-approved COPPA Safe Harbor
programs. To account for time necessary to prepare the list for publication and to ensure that the
list is updated every 6 months, Commission staff estimates 10 hours per year. Aggregated for
one new FTC-approved COPPA Safe Harbor program and six existing FTC-approved COPPA
Safe Harbor programs, this amounts to an estimated cumulative disclosure burden of 70 hours
per year (7 respondents × 10 hours).
D. Reporting Hours: 371 (derived from 350 + 21).
The amendments require FTC-approved COPPA Safe Harbor programs to include
additional content in their annual reports. The amendments also require each FTC-approved
COPPA Safe Harbor program to submit a report to the Commission every three years detailing
the program’s technological capabilities and mechanisms for assessing subject operators’ fitness
for membership in the program.
The burden for using subject operator audits to prepare the annual audits likely varies by
FTC-approved COPPA Safe Harbor program, depending on the number of subject operators.
Commission staff estimates that the additional reporting requirements for the annual report will
require approximately 50 hours per program per year. Aggregated for one new FTC-approved
COPPA Safe Harbor program (50 hours) and six existing (300 hours) FTC-approved COPPA
60 hours, to develop an online notice as other existing operators would take to develop both a direct notice and an
online notice.
16
FTC staff maintains its longstanding estimate that new operators of websites and online services will require, on
average, approximately 60 hours to draft a privacy policy, design mechanisms to provide the required online privacy
notice, and, where applicable, provide the direct notice to parents. See, e.g., Children’s Online Privacy Protection
Rule, Notice, 86 FR 55609 (Oct. 6, 2021), available at https://www.govinfo.gov/app/details/FR-2021-10-06/202121753; 2022 COPPA PRA Supporting Statement, available at https://omb.report/icr/202112-3084002/doc/119087900.
8
�Safe Harbor programs, this amounts to an estimated cumulative reporting burden of 350 hours
per year (7 respondents × 50 hours).
Regarding the reports that the amended Rule will require FTC-approved Safe Harbor
programs to submit to the Commission every three years, § 312.11(c)(1) of the existing Rule
already requires FTC-approved COPPA Safe Harbor programs to include similar information in
their initial application to the Commission. Specifically, § 312.11(c)(1) requires that the
application address applicants’ business models and the technological capabilities and
mechanisms they will use for initial and continuing assessment of operators’ fitness for
membership in their programs. Consequently, the three-year reports should merely require
reviewing and potentially updating an already-existing report. Staff estimates that reviewing and
updating existing information to comply with § 312.11(f) will require approximately 10 hours
per FTC-approved COPPA Safe Harbor program. Divided over the three-year period, FTC staff
estimates that annualized burden attributable to this requirement would be approximately 3.33
hours per year (10 hours ÷ 3 years) per FTC-approved COPPA Safe Harbor program, which staff
will round down to 3 hours per year per FTC-approved COPPA Safe Harbor program. Given
that several FTC-approved COPPA Safe Harbor programs are already available to website and
online service operators, FTC staff anticipates that no more than one additional COPPA Safe
Harbor program applicant is likely to submit a successful request within the next three years of
PRA clearance. Aggregated for one new FTC-approved COPPA Safe Harbor program and six
existing FTC-approved COPPA Safe Harbor programs, this amounts to an estimated cumulative
reporting burden of 21 hours per year (7 respondents × 3 hours).
Estimated Additional Annual Labor Costs: $80,917,545 (derived from $80,902,735 +
$14,810).
A. Disclosure: $80,902,735 (derived from $2,390,193 + $78,504,706 + 7,836).
1. New Operators: $2,390,193.
As previously noted, Commission staff estimates a total annual hours of burden for the
amendments to the Rule of 4,300 hours (430 respondents × 10 hours). Consistent with its past
estimates and based on its 2013 rulemaking record,17 FTC staff estimates that the time spent on
compliance for new operators covered by the COPPA Rule would be apportioned five to one
between legal (outside counsel lawyers or similar professionals) and technical (e.g., computer
programmers, software developers, and information security analysts) personnel. Therefore,
Commission staff estimates that approximately 3,583 of the estimated 4,300 hours required will
be completed by legal staff.
Regarding legal personnel, Commission staff anticipates that the workload among law
firm partners and associates for assisting with COPPA compliance would be distributed among
attorneys at varying levels of seniority. Assuming two-thirds of such work is done by junior
associates at a rate of approximately $559 per hour, in 2025, and one-third by senior partners at
17
See, e.g., 78 FR 3972, 4007 (Jan. 17, 2013); 2022 COPPA PRA Supporting Statement.
9
�approximately $847 per hour in 2025, the weighted average of outside counsel costs would be
approximately $655 per hour.18
FTC staff anticipates that computer programmers responsible for posting privacy policies
and implementing direct notices and parental consent mechanisms would account for the
remaining approximately 717 hours. FTC staff estimates an hourly wage of $60.43 for technical
personnel in 2025, based on Bureau of Labor Statistics (“BLS”) data.19 Accordingly, associated
annual labor costs would be $2,390,193 in 2025 [(3,583 hours × $655/hour) + (717 hours ×
$60.43/hour)] for the estimated 430 new operators.
2. Existing Operators: $78,504,706 (derived from $77,082,365 + $1,422,341).
As previously discussed, Commission staff estimates that the annualized disclosure
burden for these new requirements for the 6,140 existing operators would be 141,220 hours per
year. Thus, apportioned five to one, this amounts to 117,683 hours of legal and 23,537 hours of
technical assistance. Applying hourly rates of $655 and $60.43, respectively, for these personnel
categories, associated labor costs would total approximately $78,504,706 ($77,082,365 +
$1,422,341) in 2025.
3. Safe Harbor Programs: $7,836.
Previously, industry sources have advised that all of the labor to comply with new FTCapproved COPPA Safe Harbor program requirements would be attributable to the efforts of inhouse lawyers. FTC staff estimates an average hourly rate of $111.94 for a Washington D.C. inhouse lawyer in 2025.20 Applying this hourly labor cost estimate to the hours burden associated
with the estimated 70-hour disclosure burden for the FTC-approved COPPA Safe Harbor
programs yields an estimated annual labor cost burden of $7,836 (70 hours × $111.94).
18
These estimates are drawn from the “Fitzpatrick Matrix.” The Fitzpatrick Matrix was developed to provide a tool
for the “reliable assessment of fees charged for complex [civil] federal litigation” in the District of Columbia and has
been adopted by, among others, the Civil Division of the United States Attorney’s Office for the District of
Columbia. See Fitzpatrick Matrix, Civil Division of the United States Attorney’s Office for the District of
Columbia, Fitzpatrick Matrix, 2013–2024 (quoting DL v. District of Columbia, 924 F.3d 585, 595 (D.C. Cir. 2019)),
available at https://www.justice.gov/usao-dc/media/1353286/dl?inline. It is used here as a proxy for market rates for
litigation counsel in the Washington, DC area. In order to estimate what the mean hourly wages will be in 2025
($559 and $847 for junior associates and senior partners), staff applies the average growth rate in wages from 2013
through 2024 for junior associates and senior partners (9.7% and 5.5% respectively) to the 2024 mean hourly wages
($510 and $803) for one additional year.
19
The estimated mean hourly wages for technical personnel ($56.03) are based on an average of the mean hourly
wage for computer programmers, software developers, information security analysts, and web developers as
reported by the Bureau of Labor Statistics. See Bureau of Labor Statistics, Occupational Employment and Wages—
May 2023, Table 1 (May 2023) (“BLS Table 1”), available at https://www.bls.gov/news.release/ocwage.t01.htm
(National employment and wage data from the Occupational Employment Statistics survey by occupation). In order
to estimate what the mean hourly wages will be in 2025 ($60.43), staff applies the average growth rate in wages
from 2013 through 2023 for technical personnel (3.85%) to the 2023 mean hourly wages ($56.03) for two additional
years.
20
https://www.roberthalf.com/us/en/job-details/in-house-counselassociate-general-counsel-10yearsexperience/washington-dc.
10
�B.
Reporting: $14,810.
FTC staff assumes that compliance officers, at a mean estimated hourly wage of $39.92
in 2025, will prepare FTC-approved COPPA Safe Harbor programs’ annual reports and the
triennial report.21 Applying this hourly labor cost estimate to the hours burden associated with
preparing annual audit reports and the annualized burden for the triennial report yields an
estimated annual labor cost burden of $14,810 (371 hours × $39.92).
(13)
Capital and Other Non-Labor Costs
Because both operators and FTC-approved COPPA Safe Harbor programs will already be
equipped with the computer equipment and software necessary to comply with the Rule’s notice
requirements, the amended Rule should not impose any additional capital or other non-labor
costs.
(14)
Estimated Cost to the Federal Government
FTC staff estimates only marginal increases to the current staff and other assistance
requirements to enforce the current Rule, which currently requires approximately 4
attorney/investigator work years for a total cost of approximately $800,000 per year. In addition,
travel costs or other expenses associated with enforcing and administering the Rule are
anticipated to total approximately $18,000 per year. Thus, the approximate total cost to the FTC
in connection with these cumulative enforcement and monitoring activities will be $818,000 per
year. Clerical and other support services are included in these estimates.
(15)
Program Changes or Adjustments
This would be a program change, not an adjustment. The estimated additional annual
hours of burden would be 145,961, and the estimated additional annual labor costs would be
$80,917,545.
(16)
Statistical Use of Information/Publication of Results
Not applicable. There are no plans to publish for statistical use any information required
by the Rule.
(17)
Requested Permission Not to Display the Expiration Date for OMB Approval
The OMB control number and expiration date associated with this Paperwork Reduction
Act submission will be displayed on the Federal government’s electronic Paperwork Reduction
21
See BLS Table 1 (compliance officers, $38.55). In order to estimate what the mean hourly wages will be in 2025
($39.92), staff applies the average growth rate in wages from 2013 through 2023 for compliance officers (1.76%) to
the 2023 mean hourly wages ($38.55) for two additional years.
11
�Act docket at www.reginfo.gov. There are no government forms or other documents upon which
display of the control number and expiration date would be appropriate.
(18)
Exceptions to the “Certification for Paperwork Reduction Act Submissions”
Not applicable.
12
�
| File Type | application/pdf |
| File Modified | 0000-00-00 |
| File Created | 0000-00-00 |